Social media giant Twitter suffered the biggest cyberattack in its history on July 15, 2020. One hundred and thirty twitter accounts were targeted in the attack with the cybercriminals gaining control of a total of forty-five high profile accounts. Some of the affected accounts belonged to Bill Gates, Barrack Obama, Elon Musk, Kanye West, Joe Bidden, Uber, and Apple. These highly-visible compromised accounts were used by the attackers to promote a cryptocurrency scam. By the time Twitter could lock down the affected accounts and remove the fraudulent tweets, the attackers had made US$120,000 in Bitcoins.
Twitter confirming the attack said some of its employees with access to internal systems and tools were targets of “a coordinated social engineering attack”. In this context, “social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information,” Twitter said. A small number of those employees were successfully manipulated and their user permissions were used to initiate a password resets allowing them to log in to the accounts and tweet from them. Twitter also stated that of the forty-five comprised accounts, the attackers were able to download the account data of up to eight accounts involved. The attackers were also able to access private messages in the direct message (DM) inbox of thirty-six of the affected accounts including that of an elected official in the Netherlands.
Although Twitter did not directly suffer financial loss as a result of the cyberattack, the damage to the company could come later. The company’s reputation took a major hit with Twitter users beginning to question the authenticity of the tweets they read. Also, its stock priced dipped in the days following the cyberattack. This security breach at Twitter provides valuable lessons that every business owner to learn from to prevent a similar event from happening in their business.
Key lessons include:
- Cybersecurity awareness is vital
The successful attack on Twitter used spearfishing, a social engineering cyberattacks, where specific employees were targeted and tricked into disclosing sensitive information that allowed by the attackers to gain access to the internal tools of the organization. Organizations must get proactive with their cyber hygiene. Employees should be trained on how to spot scams, how to handle privileged information as well as other cybersecurity best practices. The investment in cyber awareness training is much cheaper to the potential damaging costs of a successful breach of an organization’s systems. Great effort should also be put tightening up cybersecurity protocols especially with the distributed workforce of today.
- Privileged user accounts should be monitored round the clock
The principle of least privileges states that user account should only be granted access to minimum data, tools, or controls needed to effectively carry out their job functions. It is expected that only a few people at Twitter would have access to the internal tool used in the attack. These types of user account absolutely need the most protection possible. It is quite plausible that implementing multi-factor authentication or zero trust could have helped prevent this attack. Organizations must also define their access control policy such that privilege elevation must require that an employee formally requests from a supervisor for what they need access to, why they need it, and for how long. This would serve as a deterrent to internal malicious activity, as the employees would be aware that their actions are being traced.
- Consider the insider threat
Organizations must not make the mistake of assuming that cyberattacks only originate from sources outside the organization. Doing this could result in such organizations overlooking the risks associated with attacks from within. Organizations must discover if vulnerabilities exist in their internal controls. Penetration testing and vulnerability assessments are recommended as they provide useful insights into an organization’s internal controls. Also, organizations should seek to find out if employees are happy. Are they inclined to stealing critical business information? Organizations should implement a robust system that actively monitors key control systems and access control points as they provide information like a shift to a different pattern of work and changes in network traffic that could help in deducing what is going on with employees. This must be done without infringing on the privacy rights of the employees. Also, monitoring the enterprise network could help to detect anomalies early enough and help prevent a potential attack. Today, there are great tools such as an AI solution that can be used for monitoring user behavior and identifying risk factors.